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Take Control of Your Web Browsing 
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noah@eff.org 
@swartzcr 
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Electronic Frontier Foundation 

• Non-Profit defending civil liberties in the 
digital world 

• Impact litigation, activism, technology 

• Projects like HTTPS Everywhere, Let's 
Encrypt, Panopticlick and Privacy Badger 

• I am a staff technologist at EFF 

- I'm a programmer; I can't answer your legal questions 
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What We Are Going to Talk About 

• Browser Tracking — It's a Bigger Problem 
Than You May Think 

• Why Online Privacy Matters 

• Who Is Tracking Us 

• How Are They Doing It 

• What Can We Do To Stop It 
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Third Parties Are Everywhere 

• Images & CSS can be cached on CDNs 

• Fonts, maps, videos, widgets 

• Analytics engines 

• Social media share buttons 

• And obviously - Ads 
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Your Browsing Is Being Tracked 

• How third parties track you 

- Unique ID cookies, canvas fingerprinting, tracking 
pixels, 'super cookies', and more! 

• This is big business — A Multi-Billion 
Dollar Industry 
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Panepticlick 

How Unique I — and Trackable — Is Your Browser? 



Your browser fingerprint appears to be unique among the 
5,678,435 tested so far. 

Currently, we estimate that your browser has a fingerprint that 
conveys at least 22.44 bits of identifying information. 

The measurements we used to obtain this result are listed below. 
You can read more about our methodology, statistical results, and 
some defenses against fingerprinting in this article. 

Help us increase our sample size: E3 t:: IS ■* E o 



Browser 

Characteristic 


bits of 
identifying 
information 


one in x 
browsers 
have this 
value 


value 


User Agent 


13.23 


9591.95 


Mozilla/5.0 (Xll; Linux x86 64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0,2357.65 

Safari/537.36 


HTTP_ACCEPT 

Headers 


6 


64.14 


text/html, */* gzip, deflate en-US,en;q=0,8 


Browser Plugin 
Details 


13.86 


14865.01 


Plugin 0: Chromium PDF Viewer; ; mhjfbmdgcfjbbpaeojofohoefgiehjai; (; application/pdf; pdf). 
Piugin 1: Chromium PDF Viewer: Portable Document Format: internal-pdf-viewer; (Portable 
Document Format: application/x-google-chrome-pdf; pdf). 


Time Zone 


4.52 


22.94 


420 


Screen Size 
and Color 
Depth 


6.9 


119.78 


2560x1440x24 


System Fonts 


2.24 


4.72 


No Flash or Java fonts detected 


Are Cookies 
Enabled? 


0.43 


1.34 


Yes 


Limited 

supercookie 

test 


0.85 


1.8 


DOM localStorage: Yes, DOM sessionStorage: Yes, IE userData: No 



Thanks to browserspy.dk for the font detection code, and to breadcrumbs for supercookie help, 

Frequently asked questions. 

Send other questions or comments to panopticlick@eff.org. 



Learn about Panoptidick and web tracking. The Panopticlick Privacy Policy. 



Learn about the Electronic Frontier Foundation. 



4 ) 

A research project of the Electronic Frontier Foundation 





|TT) ELECTRONIC FRONTIER FOUNDATION 



eff.org 



<SeaGL - October - 2015> 



Who is tracking you online? 
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Some Key Players in the Industry 




Add This 



axicom 

AA spoKeo 




doubleclick 

by Google 




Facebook 




C 
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Third Party Trackers 



• Non-consensual 



- You don't opt in to an agreement with them 

• Ubiquitous 

• Hard to avoid 



• Strong financial incentive 
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But I Like Targeted Ads! 

• You have no control over how your 
information is stored/used 

• Third parties have no obligation to 
anonymize or store temporarily 

• Data can be stolen or sold 
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• Misuse of ad targeting 

THE WALL STREET JOURNAL. “ 

WHAT THEY KNOW 

Websites Vary Prices, Deals Based on Users' 
Information 



f i ® S t 


man 


d 


@ ¥ 






| PEER-REVIEWED JOURNAL ON THE INTERNET! 



Digital inclusion and data profiling 

■ v h.- i 

? ; ha 
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Third Party Tracking is Also Useful For Spies 

Sections =] toasljinciton JJost seach B 

The Switch 

NSA uses Google cookies to pinpoint 
targets for hacking 
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future M tense 



THE CITIZEN'S GUIDE TO THE FUTURE DEC 13 2013502PM 






How the NSA Piggy-Backs 
on Third-Party Trackers 

ooo 



By Edward Felten and Jonathan Mayer 



FEATURED NEWS 

Secret 'BADASS' Intelligence Program Spied on 
Smartphones 




Micah Lee 

Jan. 26 2015, 9:12 a.m. 






A. AUS. CAN. GBR. NZL 



Cookies! 
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TOP SECRET//COMINT//REL TO USA. AUS. CAN, GBR. NZL 

What can cookies be used for? 



• Cookies can be used to identify a single 
machine from hundreds of other users on the 
same proxy IP address 

• The Yahoo B cookie is a “machine specific 
cookie” 
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Why Should You Care About Privacy? 

• You May Want to Read Things That Are 
Controversial or Embarassing For 
Research or Just General Interest 

• Data Which May Be Embarassing When 
Put Together 

- A search for health insurance quotes and then looking 
up a disease on Web MD for example 

• Chilling Effects 
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How Can Online Tracking be Stopped? 
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How About Incognito Browsing? 

• Only untrackable between sessions 

• Hard to retain first party info 

• Vulnerable to fingerprinting 

- And some super cookies 

• Tor Browser 

- Not a general purpose solution 

- Hard for the layperson 

- Tor network couldn't handle the load of all web users 
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What About Ad Blockers? 

• By default only block ads, not 
necessarily trackers 

• Blacklist means they're always behind 

• Arms race problem 

• Not always trustworthy 

- Ghostery sells information to advertisers 

- Other ad blockers will get paid off to unblock ads 
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Policy Work — Do Not Track 

• standard 

• Opt in to DNT - advertisers will not track 
you 

- Really they only don't tell you they are tracking you 

• Not as strong as it could be 

• Low level of adoption 

• Not a real privacy preserving option 
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Digital Advertiser Alliance 

TM 

• Advertisers have proposed to self 
regulate 

• DAA members offer an 'opt out' 

- Only required to not show target ads 

- No requirements on what data they can and can not 
collect/store 

• Not legally binding 

• Still only limited adoption 
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A Combination of Tech and Policy 




New Browser Plugin Blocks Spying Ads and Invisible Trackers. 
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Privacy Badger in it's natural habitat 
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Privacy Badger 

• Browser Plugin - Chrome/Fi refox 

• Open Source - GPLv3 

• Focuses on completely blocking trackers 

• Tries to solve the arms race problem 

- Uses an algorithm instead of a blacklist 

- Can cause false positives and false 
negatives 

- Allows advertisers a way out 
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How Does Privacy Badger Work? 

• Send a DNT=1 header 

• Watch for requests to third party domains 

• If a third party domain sets a high entropy 
cookie*, add it to a list of potential 
trackers 

• If the tracker is seen on multiple sites - 
block it 
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Or anonymize your browser but still load the content 
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Privacy Badger on NYT.com 







^§5 Privacy Badger 

Privacy Badger detected 0 trackers on this page. 
These sliders let you control how Privacy Badger 
handles each tracker. 

0 4? C 




al.nyt.com | 






I2.nyt.com fR 


int.nyt.com | 




static01.nyt.com 


Disable Privacy Badger for This Site 




Report Broken Site 
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How Does Privacy Badger Work? 

• Entropy in Information Theory 

- The information contained in a message, usually in 
units such as bits. 

- A 2 bit message would have 2 bits of entropy or 1 in 4 

• Low entropy cookie: 

- Iang=es; /*About 8 bits of entropy or 1 in 255 */ 

• High entropy cookie: 

- utmz=32c3e3f09a23 /* About 48 bits of entropy *1 

- Approximately 1 in 281.5 trillion 
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How Does Privacy Badger Work? 

• Occasionally a tracker can't be blocked 
without creating significant problems for 
the user 

- Youtube, Google Maps, AWS, Paypal, etc. 

• For these we block cookies 

- HTTP and Javascript 

- HTML5 Supercookies 

- Canvas fingerprinting 
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Privacy Badger on BoingBoing.net 



^§5 Privacy Badger 




Privacy Badger detected 9 trackers on this page. 
These sliders let you control how Privacy Badger 
handles each tracker. 





licensebuttons.net 
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Privacy badger on Gawker.com 






gj Privacy Badger 



Privacy Badger detected 14 trackers on this page. 
These sliders let you control how Privacy Badger 
handles each tracker. 

0 V C 

secure-us.imrworldwide.com 



kinja.com 




beacon.krxd.net 



cdn.krxd.net 



bam.nr-data.net 




edge.quantserve.com 



Disable Privacy Badger for This Site 



Report Broken Site 
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How Does Privacy Badger Work? 

• Users can see and adjust what is 
blocked, greylisted and allowed 

• Can disable privacy badger entirely for 
certain sites if they wish. 

• Can opt back in to third parties for 
certain uses (e.g. Disqus, Youtube 
comments) 
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User Choice! 











A « 



Privacy Badger 



Enable Privacy Badger for This Site 



Report Broken Site 



google-analytics.com 



googleadservices.com 



fonts.googleapis.com 
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How Does Privacy Badger Work? 

• Social Widgets 

- Privacy Badger replaces them with locally sourced 
versions 

- Gives the option to turn them back on 

Lo'i'c Nottet van outside 
regelrechte kanshebbe 
storm op iTunes 

#Tv,ee te >« 0 
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But what about third party sites 
that legitimately do not wish to 

track users? 
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The Policy Side — A New DNT 

• We just released DNT 1.0! 

- https://www.eff.org/dnt-policy 

• Sites host it on a .well-known domain 

• States that users sending DNT will not be 
tracked 

• Blocking sites that don't respect DNT 
creates an incentive to respect DNT 
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The Policy Side — A New DNT 

• User identifiers will be discarded 

• Logs will not be kept longer than necessary 

• Data can be kept for debugging or security 

• Data won't be sold to sites that don't 
respect this DNT policy 

• Sites adopting it get whitelisted by Privacy 
Badger 

- But won't override user settings 
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Privacy Badger 




* 



Privacy Badger detected 3 trackers on this page. 
These sliders let you control how Privacy Badger 
handles each tracker. 



0 e e 






Disable Privacy Badger for This Site 








Report Broken Site 
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A research project of the Electronic Frontier Foundation 




We tested your browser & addons. Do they protect you against non-consensual Web tracking? 

Yes! You have strong protection against Web tracking 



Test 


Result 


Is your browser blocking tracking ads? 


/ yes 


Is your browser blocking invisible trackers? 


/ yes 


Is your browser accepting Do Not Track commitments? 


/ yes 



T est your 
fingerprint 



e-test you 
tracker 
blocker 
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The Policy Side — A New DNT 

• Drafted with Disconnect, adopted by: 

- Mixpanel 

- Medium 

- AdBlock 

- Adzerk 

- Healthcare.gov 

• And more to come! 
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What Are You Waiting For? 
Get Privacy Badger! 

EFF.org/pb 



INSTALL PRIVACY 
BADGER 

AND ENABLE DO NOT TRACK 
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Click here for Firefox version 
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How You Can Help 

• Use Privacy Badger 

- Report broken sites from inside Privacy Badger 

• Submit a bug report / pull request 

- https://github.com/EFForg 

• Respect users who send DNT header 

• Donate to EFF! 



<SeaGL - October - 2015> 



|TT) ELECTRONIC FRONTIER FOUNDATION 



eff.org 

Still To Come... 

• Better tracker detection algorithms 

• Localization / Ul 

• Extension enumeration 

• Mobile/Safari versions 

• More DNT adoption from third parties 
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How Can I Contribute? 

Github.com/EFForg/privacybadgerchrome 



This repository 


Pull requests Issues Gist 




*>' +- A- 


[Zj EFForg / privacybadgerchrome 

Chrome version of Privacy Badger based on AdBlock Plus — Edit 


<•> Unwatch ~ 37 


★ star 297 V Fork 55 


947 commits 


P 12 branches ^ 19 releases 


29 contributors 


r _ 


| Branch master 


privacybadgerchrome / + 


s 


H Pull requests 6 


jg cooperq Merge pull request #614 from EFForg/contribution — Latest commit 7d29ca0 10 days ago 


IS Wiki 


ft Jocales 


‘potential* trackers 


2 months ago 




ft doc 


Merge pull request #614 from EFForg/contribution 


10 days ago 


4* Pulse 


ft icons 


tweaks to firstrun page from hugh 


2 months ago 


lili Graphs 


ft lib 


check for base domain before stopping datastructure build. Fixes #540 


2 months ago 




ft scripts 


changing build engineering to reflect new build process 


2 years ago 


O Settings 


ft skin 


[bugfix] "nonTrackers" Box is to small for German Translation 


a month ago 










HTTPS clone URL 


ftsrc 


removed uneeded console logging 


2 months ago 


https: //github. c |g*j. 


ft tests 


Don't check policy key name. 


3 months ago 


You can clone with HTTPS, 








SSH, or Subversion. ® 


d) .gitignore 


add kinja to cookieblock list and ignore node_modules 


10 months ago 




§) .travis.yml 


Add 'npm install' to travis.yml 


4 months ago 


<£> Download ZIP 


§] Gruntfile.js 


Style update: shortened long line and removed commented out code. 


11 months ago 




D LICENSE 


Update License file 


29 days ago 




[§) Makefile 


update makefile 


3 months ago 




@ README.md 


Use QUnit npm package instead. 


4 months ago 




Si manifest.json 


fixing manifest.json 


2 months ago 




Si package. json 


Use QUnit npm package instead. 


4 months ago 




Si setup_travis.sh 


Enable tooltips on PB Options page. Add selenium tests. 


4 months ago 




S yellowlist-criteria.txt 


add yellowlist criteria 


3 months ago 





m README. md 
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How Can I Contribute? 

• Repos for both Chrome & Fi refox 

• Issues are well tagged 

- 'Good Volunteer Task', 'High Priority', '111' 

• GPLv3! ! ! 

• Non-technical tasks as well 

• Half million users! 



<SeaGL - October - 2015> 



|TT) ELECTRONIC FRONTIER FOUNDATION 



eff.org 

How Can I Contribute? 

• Javascript Code 

• Planned mobile ports 

- IOS & Android, and Firefox for mobile 

• Uses chrome webrequest API 

• More fingerprinting techniques 

• Lots more tests to add :) 
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Get involved! 

Email me at: Noah@EFF.org 

https://github.com/EFForg/privacybadgerchrome 

https://github.com/EFForg/privacybadgerfirefox 
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Apply for Outreachy: 

https://www.eff.org/about/opportunities/tech-interns 
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Thanks! 

Questions? 



noah@eff.org 
Twitter: @swartzcr 
https://eff.org/privacybadger 
p.s. I have stickers 



PGP: 9206 A6E0 F07C F141 663F 8B93 9C7A DED2 2966 0F56 



